Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid not working in Transparent mode on pfsense configured in a bridge mode

    pfSense Packages
    4
    15
    14.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chuksonpfsense
      last edited by

      Sorry i had already posted this same question under FIREWALL but i thought it may be better to post it under PACKAGES.

      I have recently deployed pfsense 2.0.2 in a transparent firewall/bridge mode. My network configuration is this:

      Modem –----Mikrotik Router---------pfSense (transparent firewall/bridge mode) ----------------switch--------clients

      Without squid proxy, clients can have access to the internet. After installing squid and configuring it in transparent mode so that i will not configure each client browser (we have more than 100 clients), the clients cannot access the internet. But if i configure squid in NON-TRANSPARENT mode i.e. uncheck the Transparent proxy box, the clients will have access to the Internet. If i revert back to transparent mode i.e. check the Transparent proxy box on the pfsense, and leaving the proxy setting of the browsers, then the clients can access the internet. But once i remove the proxy settings on the browser while squid is in transparent mode, the clients will not have access to the internet.

      Http packets did NOT get to the WAN interface of the pfsense when I used pfsense Packet Capture to capture packets going through the WAN interface of the pfsense when squid is configured in transparent mode.

      I have searched for any helpful information to make squid work in transparent mode on pfsense configured as a transparent firewall/bridge but have so far found NO useful information.

      Please any help will be appreciated. I need to get squid working because thats one of the reasons i setup the pfsense box.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • D
        deltalord
        last edited by

        @chuksonpfsense:

        If i revert back to transparent mode i.e. check the Transparent proxy box on the pfsense, and leaving the proxy setting of the browsers, then the clients can access the internet. But once i remove the proxy settings on the browser while squid is in transparent mode, the clients will not have access to the internet.

        Could you please phrase your problem differently, because the sequence of sentences don't give a clear picture of:

        • where you started
        • where you have been in the middle
        • where you exactly left off

        I only know that you want to configure squid in transparent mode. That's why I don't understand what you mean by the above marked sentence.

        1 Reply Last reply Reply Quote 0
        • C
          chuksonpfsense
          last edited by

          Thank you deltalord

          To make it simple:

          When i configure squid in transparent proxy mode, the computers on the LAN CANNOT access the internet. If i disable squid, the computers CAN access the internet.

          Sorry for the mix up, i was only trying to explain some things i have tried so far to do to solve the problem.

          I hope you can now understand.

          1 Reply Last reply Reply Quote 0
          • D
            deltalord
            last edited by

            Ok, just for clarification, you tried the following setups, am I right?

            • No squid activated –> working WAN connection for the clients
            • Activate squid w/o transparent mode (thus client auth mode) with squid credentials within the browser proxy settings ---> working WAN connection for the clients
            • Activate squid in transparent mode (obviously without squids' credentials within browser proxy settings) ---> broken WAN connection for the clients
            • Activate squid in transparent mode BUT still having the proxy settings within the brower config –-> working WAN connection for the clients
            1 Reply Last reply Reply Quote 0
            • C
              chuksonpfsense
              last edited by

              @deltalord:

              Ok, just for clarification, you tried the following setups, am I right?

              • No squid activated –> working WAN connection for the clients
              • Activate squid w/o transparent mode (thus client auth mode) with squid credentials within the browser proxy settings ---> working WAN connection for the clients
              • Activate squid in transparent mode (obviously without squids' credentials within browser proxy settings) ---> broken WAN connection for the clients
              • Activate squid in transparent mode BUT still having the proxy settings within the brower config –-> working WAN connection for the clients

              YES, thats exactly the situation

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                It's been covered before, but it's been a while:

                Squid + Transparent mode alone + Bridge does not, and cannot work. Not sure if that will change in the future.

                If you have the settings in the user's browser, then it is not using transparent mode.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • C
                  chuksonpfsense
                  last edited by

                  @jimp:

                  It's been covered before, but it's been a while:

                  Squid + Transparent mode alone + Bridge does not, and cannot work. Not sure if that will change in the future.

                  If you have the settings in the user's browser, then it is not using transparent mode.

                  Are you saying that i cannot run squid in transparent mode on pfsense configured as a transparent firewall/bridge? Does it mean you can only run squid in transparent mode if you configure pfsense as the router?

                  Could please throw more light

                  Thank you.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Correct.

                    Squid + Transparent + Bridge == Broken
                    Squid + Transparent + Routing == OK

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • C
                      chuksonpfsense
                      last edited by

                      @jimp:

                      Correct.

                      Squid + Transparent + Bridge == Broken
                      Squid + Transparent + Routing == OK

                      Please i'm actually a newbie in pfsense. I really like some features of pfsense that i would want to deploy. Would you please advise me on how to deploy it in my network together with Mikrotik Router. I want to keep the Mikrotik and still enjoy some benefits of pfsense. That was why i configured the pfsense in a bridge mode but i didn't know that if you configure pfsense in the bridge then squid CANNOT work in transparent  mode. Is there a way i can use the mikrotik router and pfsense without configuring the pfsense in a bridge mode so that i can run squid in transparent mode?

                      Thank you.

                      1 Reply Last reply Reply Quote 0
                      • C
                        chuksonpfsense
                        last edited by

                        @Jimp has confirmed that squid CANNOT work in transparent mode while pfSense is configured as a transparent firewall/filtering bridge.

                        Now how can i configure pfSense as a firewall behind a mikrotik router? I have attached the network diagram. I don't want to replace the mikrotik router completely hence the need to have the two on the network.

                        I saw this article: "http://fafadiatech.blogspot.com/2012/05/setting-up-pfsense-as-main-firewall-and.html" but the writer was not specific with his configurations.

                        Any help will be appreciated

                        network_diagram.jpg
                        network_diagram.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • P
                          phil.davis
                          last edited by

                          In that article he shows a Cisco router where your Microtik router is in your diagram. But in the setup he has the public WAN IP on the pfSense firewall. I don't know what the Cisco in his diagram is doing - from what he sets up the Cisco is passing through ("bridging"?) the external public IP to the pfSense.
                          Why do you want to retain the Microtik? Is there other gear between the Mictrotik and pfSense that you want in front of the pfSense for some reason?
                          I would have just put the pfSense WAN to the modem and let pfSense WAN have the public IP address - it is a firewall+router first, as well as able to do Squid proxy etc.

                          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                          1 Reply Last reply Reply Quote 0
                          • C
                            chuksonpfsense
                            last edited by

                            Thanks phil.

                            i know in the article a Cisco router was used but i sited it because it has close setup to mine. As for his configuration, i wouldn't know what he did.

                            I'm going ahead with the installation. I will get back to this forum as it progresses.

                            1 Reply Last reply Reply Quote 0
                            • C
                              chuksonpfsense
                              last edited by

                              Preliminary update:

                              I have successfully configured the pfsense behind the edge mikrotik router. However, in order not to cut users off the internet, i connected the pfsense WAN to the switch where the mikrotik is connected too. So i have:

                              internet–------mikrotik-------switch--------WAN pfsense LAN------switch------PC
                                                                          |
                                                                          Production LAN
                              Mikrotik: WAN - DHCP
                                          LAN - 192.168.20.2

                              pfsense: WAN - 192.168.20.1
                                          LAN -  192.168.21.1

                              PC:        LAN - 192.168.21.2

                              Prod LAN - 192.168.20.x

                              My production LAN traffic FOR NOW goes straight to the mikrotik and uses the default gateway of 192.168.20.2 while i'm using the PC (only computer connected through the pfsense)  to configure and test the connectivity. The PC has default gateway of 192.168.21.1.

                              The pfsense and Mikrotik are doing double NATing. I can access the internet from PC. The pfsense can resolve domain names and download packages. Everything seem to be going on well. When i disable NAT on the pfsense, the PC lost access to the internet, which is understandle know that the PC and LAN of the Mikrotik are in different subnets.

                              My next step is to install some packages especially squid and see how it works, play around with some configurations and i promise to keep you posted.

                              Lastly, i will remove the switch before the mikrotik router and wire the pfsense WAN straight to the ROUTER LAN and force every user to pass through the pfsense.

                              I'm excited and will post all the stages here, it might just help someone

                              1 Reply Last reply Reply Quote 0
                              • D
                                deltalord
                                last edited by

                                Glad you made an effort! Thanks for the update, keep us posted, always interested in unconventional setups and see them working.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  chuksonpfsense
                                  last edited by

                                  Further update:
                                  Squid is working in transparent mode!!! Also, i got bandwidthd and lightsquid are working. I must mention that i tried WITHOUT success to get bandwidthd work on brdige mode. Meanwhile, lightsquid did not work in my previous configuration obviously because transparent squid was not working. So i was glad to get it working so mi can now say that:

                                  pfsense in bridge mode + bandwidthd = BROKEN
                                  pfsense in bridge mode + lightsquid = BROKEN

                                  Next step:
                                  Configure client-to-site VPN
                                  Install and configure other packages including squidguard, snort, ntop, etc.
                                  Connect the production LAN through the pfsense
                                  Report back to the forum  ;D

                                  Well that will be on monday,18/3/2013.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.